Conti Ransomware Looks to Wipe Victim Backups

Security company Advanced Intelligence published a recent report focusing on the newest developments surrounding the Conti ransomware gang. The researchers highlighted the gang's new focus on backup destruction as a way to exert extra pressure on the victim and motivate them to pay the ransom.

Conti is one of the most infamous ransomware gangs, known for being completely unscrupulous when it comes to choosing its victims. While some groups like DarkSide would at least try to play Robin Hood and attempt to justify their criminal actions by boasting about how they never attack educational and healthcare institutions, Conti on the other hand have pulled off attacks on a number of hospitals and other healthcare entities. This sort of attack is never only about the monetary damage, as there is always the threat of loss of human life.

According to the researchers, Conti are now specifically looking for affiliates that are particularly good at wiping out victim backups. The criminal gang is specifically targeting one backup creation and management application, produced by software company Veeam.

Conti uses a number of tools when infiltrating networks that have become common in the ransomware landscape. Attacks involve Cobalt Strike beacons, as well as other legitimate tools used to gain a foothold on the compromised network and achieve persistence.

The kicker is that once Conti operators get their hands on a privileged backup user account, they can do anything they please with the backups. The report published by Advanced Intelligence elicited an official statement from Veeam - the company whose backup tools Conti seeks to circumvent.

Veeam stated that if the ransomware operators manage to get hold of a privileged domain admin account, there is nothing in the world that can stop them from wiping the victim's backups. No amount of patching or new features can stop this, so instead, Veeam recommends that all its customers run the backup application off a separate domain, so that compromising the primary domain does not spell certain doom for the backups as well.

Conti was the ransomware gang behind the attacks on Ireland's health services network that caused millions in damages and nearly crippled the country's healthcare digital systems for days on end.

September 30, 2021